X-Git-Url: http://git.silcnet.org/gitweb/?p=silc.git;a=blobdiff_plain;f=lib%2Fsilcske%2Fsilcske.c;h=2fd4e0107ea646bea7f2fe87dabc7d29830a80a6;hp=e87b50b38b2da616a867abd863603dd4bfcea07e;hb=382d15d447b7a95390decfa783836ae4fe255b3d;hpb=3ee021c8e39abc5b3f3944e2c92fa9f6135fd17d diff --git a/lib/silcske/silcske.c b/lib/silcske/silcske.c index e87b50b3..2fd4e010 100644 --- a/lib/silcske/silcske.c +++ b/lib/silcske/silcske.c @@ -111,6 +111,8 @@ void silc_ske_free(SilcSKE ske) } silc_free(ske->hash); silc_free(ske->callbacks); + + memset(ske, 'F', sizeof(*ske)); silc_free(ske); } } @@ -389,6 +391,7 @@ SilcSKEStatus silc_ske_initiator_phase_2(SilcSKE ske, silc_free(x); silc_mp_uninit(&payload->x); silc_free(payload); + ske->ke1_payload = NULL; ske->status = SILC_SKE_STATUS_OK; return ske->status; } @@ -398,7 +401,7 @@ SilcSKEStatus silc_ske_initiator_phase_2(SilcSKE ske, /* Compute signature data if we are doing mutual authentication */ if (private_key && ske->start_payload->flags & SILC_SKE_SP_FLAG_MUTUAL) { - unsigned char hash[32], sign[2048]; + unsigned char hash[32], sign[2048 + 1]; SilcUInt32 hash_len, sign_len; SILC_LOG_DEBUG(("We are doing mutual authentication")); @@ -420,6 +423,7 @@ SilcSKEStatus silc_ske_initiator_phase_2(SilcSKE ske, silc_mp_uninit(&payload->x); silc_free(payload->pk_data); silc_free(payload); + ske->ke1_payload = NULL; ske->status = SILC_SKE_STATUS_SIGNATURE_ERROR; return ske->status; } @@ -435,7 +439,9 @@ SilcSKEStatus silc_ske_initiator_phase_2(SilcSKE ske, silc_free(x); silc_mp_uninit(&payload->x); silc_free(payload->pk_data); + silc_free(payload->sign_data); silc_free(payload); + ske->ke1_payload = NULL; ske->status = status; return status; } @@ -495,6 +501,7 @@ static void silc_ske_initiator_finish_final(SilcSKE ske, if (!silc_pkcs_public_key_decode(payload->pk_data, payload->pk_len, &public_key)) { status = SILC_SKE_STATUS_UNSUPPORTED_PUBLIC_KEY; + SILC_LOG_ERROR(("Unsupported/malformed public key received")); if (ske->callbacks->proto_continue) ske->callbacks->proto_continue(ske, ske->callbacks->context); return; @@ -517,8 +524,7 @@ static void silc_ske_initiator_finish_final(SilcSKE ske, silc_pkcs_public_key_set(ske->prop->pkcs, public_key); if (silc_pkcs_verify(ske->prop->pkcs, payload->sign_data, payload->sign_len, hash, hash_len) == FALSE) { - - SILC_LOG_DEBUG(("Signature don't match")); + SILC_LOG_ERROR(("Signature verification failed, incorrect signature")); status = SILC_SKE_STATUS_INCORRECT_SIGNATURE; goto err; } @@ -693,6 +699,13 @@ SilcSKEStatus silc_ske_responder_start(SilcSKE ske, SilcRng rng, remote_payload->flags |= SILC_SKE_SP_FLAG_PFS; } + /* Disable IV Included flag if requested */ + if (remote_payload->flags & SILC_SKE_SP_FLAG_IV_INCLUDED && + !(flags & SILC_SKE_SP_FLAG_IV_INCLUDED)) { + SILC_LOG_DEBUG(("We do not support IV Included flag")); + remote_payload->flags &= ~SILC_SKE_SP_FLAG_IV_INCLUDED; + } + /* Parse and select the security properties from the payload */ payload = silc_calloc(1, sizeof(*payload)); status = silc_ske_select_security_properties(ske, version, @@ -854,6 +867,7 @@ static void silc_ske_responder_phase2_final(SilcSKE ske, recv_payload->pk_len, &public_key)) { ske->status = SILC_SKE_STATUS_UNSUPPORTED_PUBLIC_KEY; + SILC_LOG_ERROR(("Unsupported/malformed public key received")); if (ske->callbacks->proto_continue) ske->callbacks->proto_continue(ske, ske->callbacks->context); return; @@ -876,9 +890,7 @@ static void silc_ske_responder_phase2_final(SilcSKE ske, silc_pkcs_public_key_set(ske->prop->pkcs, public_key); if (silc_pkcs_verify(ske->prop->pkcs, recv_payload->sign_data, recv_payload->sign_len, hash, hash_len) == FALSE) { - - SILC_LOG_DEBUG(("Signature don't match")); - + SILC_LOG_ERROR(("Signature verification failed, incorrect signature")); ske->status = SILC_SKE_STATUS_INCORRECT_SIGNATURE; if (ske->callbacks->proto_continue) ske->callbacks->proto_continue(ske, ske->callbacks->context); @@ -969,7 +981,7 @@ SilcSKEStatus silc_ske_responder_phase_2(SilcSKE ske, SILC_LOG_DEBUG(("We are doing mutual authentication")); if (!recv_payload->pk_data && ske->callbacks->verify_key) { - SILC_LOG_DEBUG(("Remote end did not send its public key (or " + SILC_LOG_ERROR(("Remote end did not send its public key (or " "certificate), even though we require it")); ske->status = SILC_SKE_STATUS_PUBLIC_KEY_NOT_PROVIDED; return status; @@ -1010,7 +1022,7 @@ SilcSKEStatus silc_ske_responder_finish(SilcSKE ske, SilcSKEStatus status = SILC_SKE_STATUS_OK; SilcBuffer payload_buf; SilcMPInt *KEY; - unsigned char hash[32], sign[2048], *pk; + unsigned char hash[32], sign[2048 + 1], *pk; SilcUInt32 hash_len, sign_len, pk_len; SILC_LOG_DEBUG(("Start")); @@ -1175,7 +1187,7 @@ silc_ske_assemble_security_properties(SilcSKE ske, /* Set random cookie */ rp->cookie = silc_calloc(SILC_SKE_COOKIE_LEN, sizeof(*rp->cookie)); for (i = 0; i < SILC_SKE_COOKIE_LEN; i++) - rp->cookie[i] = silc_rng_get_byte(ske->rng); + rp->cookie[i] = silc_rng_get_byte_fast(ske->rng); rp->cookie_len = SILC_SKE_COOKIE_LEN; /* Put version */ @@ -1204,8 +1216,8 @@ silc_ske_assemble_security_properties(SilcSKE ske, /* XXX */ /* Get supported compression algorithms */ - rp->comp_alg_list = strdup(""); - rp->comp_alg_len = 0; + rp->comp_alg_list = strdup("none"); + rp->comp_alg_len = strlen("none"); rp->len = 1 + 1 + 2 + SILC_SKE_COOKIE_LEN + 2 + rp->version_len + @@ -1531,9 +1543,8 @@ silc_ske_select_security_properties(SilcSKE ske, payload->hmac_alg_list = strdup(rp->hmac_alg_list); } -#if 0 /* Get supported compression algorithms */ - cp = rp->hash_alg_list; + cp = rp->comp_alg_list; if (cp && strchr(cp, ',')) { while(cp) { char *item; @@ -1542,15 +1553,23 @@ silc_ske_select_security_properties(SilcSKE ske, item = silc_calloc(len + 1, sizeof(char)); memcpy(item, cp, len); - SILC_LOG_DEBUG(("Proposed hash alg `%s'", item)); - - if (silc_hash_is_supported(item) == TRUE) { - SILC_LOG_DEBUG(("Found hash alg `%s'", item)); + SILC_LOG_DEBUG(("Proposed Compression `%s'", item)); - payload->hash_alg_len = len; - payload->hash_alg_list = item; +#if 1 + if (!strcmp(item, "none")) { + SILC_LOG_DEBUG(("Found Compression `%s'", item)); + payload->comp_alg_len = len; + payload->comp_alg_list = item; break; } +#else + if (silc_hmac_is_supported(item) == TRUE) { + SILC_LOG_DEBUG(("Found Compression `%s'", item)); + payload->comp_alg_len = len; + payload->comp_alg_list = item; + break; + } +#endif cp += len; if (strlen(cp) == 0) @@ -1561,20 +1580,7 @@ silc_ske_select_security_properties(SilcSKE ske, if (item) silc_free(item); } - - if (!payload->hash_alg_len && !payload->hash_alg_list) { - SILC_LOG_DEBUG(("Could not find supported hash alg")); - silc_ske_abort(ske, SILC_SKE_STATUS_UNKNOWN_HASH_FUNCTION); - silc_free(payload->ke_grp_list); - silc_free(payload->pkcs_alg_list); - silc_free(payload->enc_alg_list); - silc_free(payload); - return; - } - } else { - } -#endif payload->len = 1 + 1 + 2 + SILC_SKE_COOKIE_LEN + 2 + payload->version_len + @@ -1594,26 +1600,31 @@ static SilcSKEStatus silc_ske_create_rnd(SilcSKE ske, SilcMPInt *n, { SilcSKEStatus status = SILC_SKE_STATUS_OK; unsigned char *string; + SilcUInt32 l; + + if (!len) + return SILC_SKE_STATUS_ERROR; SILC_LOG_DEBUG(("Creating random number")); + l = ((len - 1) / 8); + /* Get the random number as string */ - string = silc_rng_get_rn_data(ske->rng, (len / 8)); + string = silc_rng_get_rn_data(ske->rng, l); if (!string) return SILC_SKE_STATUS_OUT_OF_MEMORY; /* Decode the string into a MP integer */ - silc_mp_bin2mp(string, (len / 8), rnd); + silc_mp_bin2mp(string, l, rnd); silc_mp_mod_2exp(rnd, rnd, len); /* Checks */ if (silc_mp_cmp_ui(rnd, 1) < 0) status = SILC_SKE_STATUS_ERROR; - if (silc_mp_cmp(rnd, n) >= 0) status = SILC_SKE_STATUS_ERROR; - memset(string, 'F', (len / 8)); + memset(string, 'F', l); silc_free(string); return status;